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FTP Server Administration Guide 


FTP Server 


The NetWare® FTP Server provides FTP service for transferring files to and 
from NetWare volumes. 


You can use the file transfer protocol command from a workstation with FTP 
access to log in to an NDS? tree. You can also perform file transfers from any 
FTP client by using the FTP Server to log in to an NDS tree. After logging in 
to an NDS tree, you can navigate to other NetWare servers (in the same NDS 
tree) that may not be running FTP service. 
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Understanding 


The NetWare® FTP Server is based on the standard ARPANET File Transfer 
Protocol that runs over TCP/IP and conforms to RFC 959. You can perform 
file transfers from any FTP client by using the FTP Server to log in to the 
NDS® tree. 


Features of the NetWare FTP Server 


The main features of the NetWare FTP Server include the following: 
+ Multiple Instances 
* Access Restrictions 
¢ Intruder Log In Detection 


+ Remote Server Access 


+ 


Anonymous User Access 


+ Special Quote Site Commands 
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Firewall Support 


* Active Sessions Display 


4 


Name Space Support 
* Simple Network Management Protocol Error Reporting Service 


+ FTP Logs 


+ 


Contextless Log In 


+ 


Welcome Banner and Message File Support 
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Multiple Instances 


You can load multiple instances of the FTP Server on the same NetWare 
server. Each instance can be loaded either to bind to an IP address 
corresponding to each Network Interface Card (NIC), or to different ports on 
a single NIC. Typically, each instance could be used to provide FTP service to 
different sets of users. Each instance can be loaded with different sets of 
configuration parameters such as IP addresses and port numbers to bind to 
different access restrictions files and so on. However, the combination of IP 
addresses and port numbers should be unique for each instance. 


For further details, see Multiple Instances of the FTP Server under 
"Managing." 


See Parameters Related to Multiple Instances for more details on parameters. 


Access Restrictions 


Intruder Log In 


You can restrict FTP access at various levels through various types of access 
rights. The various levels at which FTP access can be restricted are: Host, 
Domain, Container and User. For each level the access rights that can be 
specified are: Allow (allows FTP access), Deny (denies FTP access), Readonly 
(gives read-only access), Guest (gives guest access to user), and Noremote 
(restricts access to remote server). 


For a complete list of access rights and levels, see Access Restrictions under 
"Managing." 


See Parameters Related to Access Restrictions for more details on parameters. 


Detection 


The NetWare FTP Server lets you detect an intruder host or user who tries to 
log in using an invalid password. Users are marked as intruders when they try 
to log in with wrong passwords for more than a specified number of times. 
Similarly, a hostis marked as an intruder when any user from that host tries to 
log in with a wrong password more than a specified number of times. The 
number of intruder user and host attempts allowed can be specified in the 
configuration file. Once a user is marked as an intruder, the user is not allowed 
to log in from a host for a certain period of time, which can also be specified 
in the configuration file. If a host is marked as intruder, no user from that host 
can log in for a certain period of time, which can also be specified in the 
configuration file. 
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For further details, see Configuring FTP Server Parameters under "Setting 
Up." 


See Parameters Related to Intruder Detection for more details on parameters. 


Remote Server Access 


Using the Remote Server Access feature, FTP users can navigate and access 
files from other NetWare NDS servers in the same NDS tree and remote IBM* 
servers. The remote servers need not be running the NetWare FTP Server. 


Remote NetWare NDS Servers 


The NetWare FTP Server can run on any of the servers in the NDS tree, and 
you can browse through all the servers in the NDS tree and perform file 
operations specified by FTP. 


Figure 1 shows how the NetWare FTP Server accesses remote NetWare 
servers 


Figure 1 FTP Server Accessing Remote NetWare Servers 


After logging in to 
the FTP server, the 
User accesses the 
remote server from 
the command line. 








Workstation running 
FTP client software 





Remote NetWare server 
FTP (running NetWare 4.1 or later) 
without the FTP service 






Local NetWare server The user can now 
running the access files on the 
FTP service remote NetWare 
server. 








. 
ATT S 


The NCP protocol allows you to navigate to and from remote NDS servers and 
transfer files. 
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Remote IBM? Server 


The NetWare FTP Server can run on any of the servers in the NDS tree and the 
user can browse through all the remote IBM servers and perform file 
operations specified by FTP. 


Figure 2 shows how the NetWare FTP Server accesses the IBM server. 


Figure 2 FTP Server Accessing the IBM Server 
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FTP client software 
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to the local IBM server, 





Remote IBM server 





AFTP of NetWare SAA 








The user can now 





Local NetWare server 
running the 
FTP service 


After logging in to 
the FTP Server, the 
user accesses the 
remote server from 
the command line. 


access files on the 
remote IBM server. 





De pp 





The NetWare FTP Server uses the AFTP Gateway component of NetWare- 
SAA to access remote IBM servers. 


In order to navigate between IBM servers, it is assumed that users will have 
the same username and password in all the IBM servers. 


For further details, see Remote Server Access under "Managing." 


See Parameters Related to Logging In an NDS Tree for more details on 
parameters. 
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Anonymous User Access 


The FTP Server provides a command line option to setup the Anonymous user. 
This NetWare user account can be used for general FTP transfer. 
Administrators can choose to enable or disable the Anonymous access. The 
home directory for the anonymous or guest user can be specified in the 
configuration file. 


FTP users can log in as Anonymous and perform file operations. The FTP 
Server can be configured to accept users’ e-mail addresses as passwords. 


For further details, see Anonymous User Access under "Managing." 


See Parameters Related to Anonymous User Access for more details on 
parameters. 


Special Quote Site Commands 


The NetWare FTP Server provides a set of Special Quote Site commands 

which are specific to NetWare. These commands can be used to change or 
view some of the NetWare server specific parameters such as client name 

space, server in the NDS tree, and so on. 


For list of commands, see Special Quote Site Commands under "Managing." 
Firewall Support 


The FTP Server opens a data connection with a FTP client during transfer of 
data. When the FTP client is behind a firewall the FTP server cannot connect 
to the FTP client so the NetWare FTP Server supports passive mode data 
transfer and also allows for configuring a range of passive data ports. 


See Parameters Related to Firewall Support for more details on parameters. 
Active Sessions Display 


Active Sessions Display provides details of all the active FTP instances at a 
particular time. The active instances and session details can be viewed from 
any browser. The information provided includes a list of all instances, details 
of each instance, all sessions in an instance, and all details of each session. 


For further details, see Active Sessions Display under "Managing." 
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Name Space Support 


The NetWare FTP Server can operate in both DOS and LONG name spaces. 
The FTP Server starts with a specified default name space. However, the FTP 
user can also dynamically change the name space, using one of the Quote Site 
commands. 


If a NetWare volume does not support the LONG name space, the FTP Server 
enters the DOS name space on its own. When it comes across a volume which 
supports the LONG name space, it changes the name space. 


For further details, see Special Quote Site Commands under "Managing." 


Simple Network Management Protocol Error Reporting Service 


Simple Network Management Protocol (SNMP) traps are issued when 
+ An FTP log in request comes from an intruder host 


* A log in request comes from a node address restricted through NDS 


The messages can be seen on the management console. 


FTP Logs 


The FTP service maintains a log of various activities of FTP Server through 
the following log files: 


+ FTP Audit: The FTP Audit log file maintains information on FTP sessions 
and activities. Information such as log in, log out, and files operated are 
logged in this file. 


* Intruder: The Intruder log file maintains the details of unsuccessful log in 
attempts. 


¢ Status: Details of all active sessions such as the number of users logged 
in and out, the number of failures during data transfer and so on are 
maintained in the Status log file. 


+ System: All the system error messages and FTP Server related messages 
(other than the messages related to sessions) are logged in this file. 


The names of these files can be specified in the configuration file. For the 
formats of the above files see FTP Log Files under "Managing." 


See Parameters Related to FTP Logs for more details on parameters. 
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Contextless Log In 


Typically, while logging in, FTP users need to provide the full context of 
where they exist. The FTP Server eliminates this need by using NetWare 
Catalog Services. The FTP Server can be configured to use the Catalog 
Services so that when users log in the FTP Server will automatically use the 
current context. 


For installation of Catalog Services, see Configuring Contextless Log In under 
"Setting Up." 


See Parameter Related to Contextless Log In for more details on parameters. 
Welcome Banner and Message File Support 


The NetWare FTP Server displays the following files to the user: 
+ A welcome banner when an FTP client establishes a connection. 


+ A message file when the user changes the directory in which the file 
exists. This file can be used to list the contents of the directory. 


The paths for these files can be specified in the configuration file. 


See Parameters Related to Welcome Banner and Message Files for more 
details on parameters. 
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Configuring 


Setting Up 


In this section the following is discussed: 
+ Configuring FTP Server Parameters 


* Configuring Contextless Log In 


FTP Server Parameters 


Before you start the NetWare® FTP Server, you should configure it by 
defining the configuration parameters in the configuration file. The default 
configuration file is SYS:/ETC/FTPSERV.CFG. See FTP Server Start-Up 
under "Managing" for details on starting the NetWare FTP Server. When the 
NetWare FTP Server is started, the IP address of the host (HOST_IP_ADDR) 
and the port number of the NetWare FTP Server (FTP_PORT), as defined in 
the configuration file, are used to bind to and listen for FTP client connection 
requests. If these parameters are not defined in the configuration file, the FTP 
Server binds to all configured network interfaces and the standard FTP ports. 


Multiple instances of the NetWare FTP Server can run on a single machine 
with different IP addresses and port numbers. The various parameters in the 
configuration file along with the default values are described below: 


Parameters Related to Multiple Instances 


Parameter 


Default Value Description 





HOST_IP_ADDR All network interfaces The IP address of the host on 





which the FTP Server is being 
loaded 
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Parameter Default Value Description 





FTP_PORT Standard FTP port: 21 The port number to which the 
FTP Server should bind to and 
listen for connection requests 


Parameters Related to FTP Session 


Parameter Default Value Description 





MAX_FTP_SESSIONS 30 Maximum number of FTP 
sessions that can be active at 
one point in time 


IDLE_SESSION_TIMEOUT 600 seconds Duration in seconds for which 
any session can remain idle. 
The session will never time out 
if the value is set as negative. 





Parameters Related to Anonymous User Access 








Parameter Default Value Description 

ANONYMOUS_ACCESS No Used to specify whether 
anonymous user access is 
allowed. 


Valid values are Yes or No. 


ANONYMOUS_HOME SYS:/PUBLIC The anonymous user's home 
directory. 

ANONYMOUS _PASSWORD_ Yes Specifies whether to ask for e- 

REQUIRED mail ID as the password for 


anonymous guests to log in. 


Valid values are Yes or No. 
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Parameters Related to Access Restrictions 





Parameter Default Value 


Description 





RESTRICT_FILE SYS:/ETC/FTPREST.TXT 


The FTP Server can define 
access restrictions to various 
levels of users, hosts, and so 
on. These restrictions are 
defined in a file. The path of this 
file can be specified here. 





Parameters Related to Logging In an NDS Tree 


Parameter Default Value 


Description 





DEFAULT_USER_HOME SYS:/PUBLIC 


IGNORE_REMOTE_HOME No 


IGNORE_HOME_DIR No 


Parameters Related to Intruder Detection 


The default home directory of 
the user. 


Specifies whether to ignore the 
home directory, if itis ona 
remote server, and go to the 
default directory. 


Valid values are Yes or No. 


Specifies whether to ignore the 
home directory and go to the 
default directory. 


Valid values are Yes or No. 





Parameter Default Value Description 

DEFAULT_NS LONG The default name space. 
INTRUDER_HOST_ 20 The number of unsuccessful 
ATTEMPTS log in attempts for intruder host 


detection. 


At value 0, intruder host log in 
detection is disabled. 
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Parameter Default Value Description 





INTRUDER_USER_ 5 Number of unsuccessful log in 
ATTEMPTS attempts for intruder user 
detection. 


At value 0, intruder user log in 
detection is disabled. 


HOST_RESET_TIME 10 Time interval in minutes during 
which the intruder host is not 
allowed to log in. 


USER_RESET_TIME 5 Time interval in minutes during 
which the intruder user is not 
allowed to log in. 





Parameters Related to Firewall Support 





Parameter Default Value Description 

PASSIVE_PORT_MIN 1 Minimum port number used for 
establishing passive data 
connection. 

PASSIVE_PORT_MAX 65534 Maximum port number used for 


establishing passive data 
connection. The port valueis 
1-65534. The minimum value 
should always be less than or 
equal to the maximum value. 





Parameters Related to Welcome Banner and Message Files 





Parameters Default Value Description 





WELCOME_BANNER SYS:/ETC/WELCOME.TXT When the FTP client 
establishes a connection, the 
contents of this file will be 
displayed. For this, the file of 
that name should exist in the 
directory. 
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Parameters Default Value Description 





MESSAGE_FILE MESSAGE.TXT When the user changes the 
directory, the contents of this 
file will be displayed. For this, 
the file with that name should 
exist in the directory. 





Parameter Related to Contextless Log In 





Parameter Default Value Description 





FTP_CATALOG_NAME FTPCAT The object name for the FTP 
catalog for contextless log in. 


Parameters Related to FTP Logs 





Parameter Default Value Description 





FTP_LOG_DIR SYS:/ETC The directory in which log files 
will be stored. 


LOG_LEVEL 7 Indicates the log level. These 
are: 
L_ERROR 1 
L_WARNING 2 
L_INFO 3 


The log levels indicate bits for 
which any combination can be 
given. For example, if 
LOG_LEVEL is 3, then error 
messages and warning 
messages will be logged. 


FTPD_LOG FTPD The file contains all the internal 
system related information 
encountered by the FTP 
Server. 


AUDIT_LOG FTPAUDIT The file has details about the 
log in activities of the user. 
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Parameter 


Default Value Description 





INTRUDER_LOG 


STAT_LOG 


FTPINTR The file provides information 
about unsuccessful login 
attempts. 


FTPSTAT The details of all active 
sessions are maintained in this 
file. 


Configuring Contextless Log In 


NDs® Catalog Services can be installed through the NetWare 5.0 or NetWare 
5.1 server installation. To enable Contextless Log In to function, you must 
install NDS Catalog Services and create a Contextless Log In Catalog. 


If you have administrative rights you can install Catalog Services by logging 
in to the target tree and following these steps: 


1 


2 


Install NDS Catalog Services with the NetWare 5 or NetWare 5.1 
installation. 


Select to install all except the NDS Catalog Services SDK. 


During the Catalog Services setup, select a tree and server and copy the 
dredger (DSCAT.NLM) to them. 


IMPORTANT: The install program modifies the server AUTOEXEC.NCF to 
automatically load DSCAT.NLM. After installation, if you want to edit this file, load 
it manually and edit it. 


From the Start Menu, run the NetWare Administration Utility program 
such as Z:\PUBLIC\WIN95\NWADMN9S5.EXE. 


To create the Catalog Object, type 
NDSCat:Master Catalog 

and name it FTPCAT. 

Save it in the default context on the server. 


Select the catalog object just created and define the following additional 
attributes. 


See Identification Page, Filter Page, Attributes/Indexes Page, and Schedule 
Page for more information. 
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Identification Page 


Filter Page 


To create the Identification Page 


1 
2 
3 


Select the Browse button to the right of the Host Server field. 
Select the host server. 


Click Security Equals > select the Admin user. 


From the Filter Page type, 

"Object Class" = "User" 

IMPORTANT: Include the quotation marks in the command. 
Select the Search Subtree. 


Leave the Context Limits field blank or designate the context limiting 
container. 


This will be the starting point for the dredger to fill the catalog with users. In 
other words, only users in this container and below will be added to the 
FTPCAT database. (If this field is blank, the entire tree will be cataloged from 
the [root] container down.) 


Attributes/Indexes Page 


Schedule Page 


From the Attributes/Indexes Page 


1 


2 
3 
4 


Select the Selected Attributes > click on Select Attributes. 
Select CN from the available list > click Add OK. 
Click Select Indexes. 


Select CN from available > click Add OK. 


From the Schedule Page, select Manual. 


IMPORTANT: If you add more users to your tree, you'll need to update the catalog 
as well. 


2 Click OK to save all your changes. 


Right-click Root or the container used in the Filter Page > select Trustees 
of This Object 


Click Add Trustee. 


SettingUp 23 


5 Locate the catalog FTPCAT created and add it as a trustee. 
6 FTPCAT should now appear in the Trustees list for this container. 


Verify that Browse is enabled under Object rights. Also verify that 
Compare and Read are enabled under Property rights. This gives the 
catalog object rights to the container in order to read objects and populate 
the catalog. 


7 Click OK to save your changes. 
8 Right-click Trustees of This Object 
9 Click Add Trustee. 
10 Select [Public] under the Available objects listing > select OK. 


[Public] should now appear in the Trustees list for the catalog FTPCAT. 
Verify that Browse is enabled under Object rights. Also verify that 
Compare and Read are enabled under Property rights. This gives FTP 
Server the ability to open and read a catalog using [public] rights. This is 
necessary because the user is not currently authenticated to the tree. 


11 Click OK to save changes. 

12 Go to the server and load DSCAT.NLM or verify that it is loaded 
13 Return to the workstation and run the Administration tool again. 
14 Select the catalog object. 


15 Open the Schedule page and select Update Now (unless you are using 
automatic updating). 


16 Return to the server and wait for a successful dredge of the catalog. 


After the line that says FTPCAT dredge is complete appears, unload the 
DSCAT.NLM if you wish. 


17 Return to the Administration tool and verify that the catalog has data by 
re-selecting the FTPCAT object. 


18 Select the summary page and verify the dates and times. 


19 Click Query and query the catalog. You should only see a listing of 
distinguished names for all users currently defined in the database (tree). 


20 Exit the Administration tool. 


IMPORTANT: Before starting the FTP Server, the DSCQRY32.NLM must be 
loaded on the server. This is the NLM which provides the Catalog Services APIs 
required for querying the catalog. 
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Managing 


In this section the following are discussed: 
+ FTP Server Start-Up 
+ Using the FTP Server from an FTP Client 
* Administering the NetWare FTP Server 


FTP Server Start-Up 


The FTP Server can be loaded from the NetWare® server using the following 
command: 


nwftpd 


The server takes the default configuration file SYS /ETC/FTPSERV.CFG. On 
installation, this configuration file has all the parameters, commented, with 
their default values. 


To start the NetWare FTP Server with a different configuration file (for 
example: MYCONFIG.CFG), place the file in SYS:/ETC directory and use 
the following command line options: 


nwftpd -c myconfig.cfg 
For Creating Anonymous User 


For creating an anonymous user, type the following command: 


nwítpd -a [-c Configfilel 


The server takes the anonymous user home directory from the configuration 
file and displays it on the screen with the option to modify the directory. 
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Active Sessions Display Start Up 


To load the Active Sessions Display Utility, type the following command: 


ftpstat [-p <port number>] 


The server takes a port number to which the HTTP browser should connect to 
view the NetWare FTP active sessions. The default port is 2500. 


Using the FTP Server from an FTP Client 


This section describes the use of an FTP Server from an FTP client. It discusses 
the following: 


¢ Starting an FTP Session 

+ Paths Formats 

* Remote Server Access 

+ Special Quote Site Commands 


+ Name Space and Filenames 


Starting an FTP Session 


Users can start the FTP session from a workstation running FTP client 
software using the following command: 


ftp hostname 


where hostname is the name of the server in the DNS or IP address of the 
NetWare server running the FTP service. The FTP Server then prompts the 
user for a username and password. 


The following are the session-based details and are not tied to individual user 
logins: bytes sent, bytes received, session duration, files sent, files received, 
and current NDS context. 


See Parameters Related to FTP Session for more details on parameters. 


Logging in to the NDS Tree 


An NDS user can log in to the FTP Server either by specifying the user name 
with full context or with a context relative to the default context (which is the 
context of the NetWare server where FTP is running). If the context is not 
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specified, the FTP Server searches for the user only in the current session 
context. 


If the Catalog Services is enabled, then the user doesn’t need to specify the 
context. If multiple users exist with the same name in different contexts, the 
full distinguished name of the user needs to be specified. The context is set to 
the user's context after logging in. 


If a user with an expired NDS password attempts to log in to the FTP Server, 
a message stating that the password has expired is returned after the user logs 
in. Logging in with an expired password uses the grace logins. If all the grace 
logins of the user expire, the user cannot log in and receives an error message. 


After the user logs in, the FTP Server places the user in the user's NDS home 
directory (if defined) and attaches the user to the server where the home 
directory resides. 


If the NDS home directory is not defined or cannot be located, the FTP Server 
places the user in the default user home directory specified in the 
configuration file. 


A user is placed in the default user home directory under the following 
conditions: 


+ If IGNORE_DIR_HOME is set to yes. 


+ If IGNORE_REMOTE_HOME is set to yes and the user’s home 
directory is on a remote server. 


Logging in to an IBM Server 


To log in to a remote IBM server, the user should have a user account in that 
server. To log in to the IBM server from FTP client, the user should start an 
FTP session using FTP Host and should give the username in the following 
format: 


@IBMservername.username 


To log in to IBM server from the browser, the following format should be 
used: 


ftp://+IBMserver+username:password@FTPHost 


For logging in as anonymous user, the user name and password can be 
omitted, 


£ftp://+IBMservername@FtpHost 
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After logging in to the IBM server, the user is placed in the home directory in 
that IBM server. 


While logging in to IBM server, the user is not authenticated to the NDS tree. 
So, navigation between IBM servers and NDS servers is not possible. 


Remote Server Access 


The double slash (//) indicates that the user wants to access a remote server. 
The name of the remote server must be the first entry after the double slash. 


Navigating to NDS Servers 


After logging in to the NDS tree, users can access files and directories on a 
remote NetWare server that may not be running the FTP service. 


To navigate to remote servers, type: 


cd//remote server name/volume/directory pathname 


File operations such as get, put, and delete can be used on the remote server, 
even without changing directory path to that server. For example: 


get //remote server name/volume/directory path/file name 


If the current directory is on a remote server and the remote server goes down, 
the user is placed in the home directory in the home server. While switching 
back to the home server, if the home server is not available, the user is placed 
in the default user home directory. 


Navigation to IBM servers 


The IBM server to which the user logs in first will be considered the home 
server. Once logged in to an IBM server, the user can navigate to other remote 
IBM servers which identify the user with the same username and password. 
To navigate to remote servers the following format should be used: 


cd //@IBM server name/path 


File operations such as get, put, and delete can be done only when the user is 
currently in that server. 


If the current directory is on aremote server and the server goes down, the user 
is placed in the home directory in the home server. While switching back to 
the home server, if the home server is not available, the remote server is made 
the home server. If the current directory is in the home server and the server 
goes down, the user is logged out. 
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Paths Formats 
The volume and directory path name must be specified in following format: . 
//server name/volume name/directory path 


To navigate to different volumes, type: 


cd /volume name 


To switch back to home directory, type: 
cd - 


To switch to home directory of any user, type: 
cd -user name 


Special Quote Site Commands 


The SITE command enables FTP clients to access features specific to the 
NetWare FTP Server. 


The SITE command has the following syntax: 


QUOTE SITE [SLIST | SERVER | HELP | CX {CONTEXT} | LONG | 
Dos | oul 


These commands are unique to the NetWare FTP service and are not standard 
FTP commands. 


A list of quote site commands and their descriptions are given below: 








Command Description 

SLIST Lists all the servers within the 
NDS tree 

SERVER Lists all the servers in the NDS 


tree relative to the current context 


HELP Displays the help file related to 
the quote site commands 


CX Changes the current context to 
the specified context 


OU Shows all the organizational units 
relative to the current context 
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Command Description 





LONG Changes the configured 
namespace to the LONG name 
space 

DOS Changes to the configured name 


space to the DOS name space. 





The parameters are defined as follows: 


+ 


+ 


HELP displays a description of and the syntax for all site commands. 


The CX parameter enables the user to browse the NDS tree for servers or 
OUs. 


CX with a context as an argument sets the current NDS context to a given 
value. For example: 


cx ou=test sets the context to the OU test using the relative context 


cx.ou=test.o=acme sets the context to the OU test using the absolute 
context 


CX without a context displays the current context of the FTP client. 
CX with the argument - resets the context back to user’s context. 


DOS changes the configured name space to the DOS name space. All 
NetWare volumes support the DOS name space. 


OU enables users to display the NDS organizations (containers) below 
the current NDS context. 


SERVER displays all NetWare servers in the current NDS context and its 
sub-OUs. 


For example, SITE SERVER displays all NetWare servers in the current 
context. 


SLIST displays NetWare servers in the whole of the NDS tree. 


Name Space and Filenames 


FTP Server supports DOS and LONG name space. The default name space is 
configured in the configuration file. FTP users can also change it dynamically 
using the QUOTE SITE DOS command or the QUOTE SITE LONG 
command. 
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The default configured name space is LONG. 


When the user changes the name space, the change affects only those volumes 
that support the specified name space. If the LONG name space is not 
supported on a specific volume, users must follow the DOS file naming 
conventions of using no more than eight characters for the name plus no more 
than three additional characters for the suffix following the period. 


In both name spaces, the user views the response to the 1s or Dir in the 
NetWare format only. Format of the directory listing is as follows: 


type rights owner size time name 


where the above variables stand for: 


+ 


+ 


+ 


Type: Type of file, where {-} indicates a file and {d} indicates a directory 
Rights: Effective NetWare rights of the user to this file or directory. 


Owner: NetWare user who created this file or directory. In case the 
mapping of objects and the owner’s name is not found, the object ID is 
displayed. 


Size: The size, in bytes, of the file or directory. In case of a directory, it is 
always 512. 


Time: The modification date and time of the file or directory. 


Name: The name of the file or directory in the current name space. 


Administering the NetWare FTP Server 


This section discusses the administration of the following: 


+ 


+ 


+ 


Multiple Instances of the FTP Server 
Intruder Detection 

Access Restrictions 

Anonymous User Access 

FTP Log Files 


Active Sessions Display 
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Multiple Instances of the FTP Server 


Multiple instances of the FTP Server can be initialized if the NetWare Server 
has multiple network interface cards. Each FTP Server should have a unique 
IP address and port number combination. Each FTP Server instance can have 
its own configuration file, access restrictions file, and can listen on different 
IP addresses and port numbers. 


The IP address of the host (HOST_IP_ADDR) and the port number 
(FTP_PORT) as defined in the configuration file are used to bind to and listen 
for FTP client connection requests. The configuration file can be specified 
while starting the FTP Server. If these parameters are not defined in the 
configuration file, the default IP address and the standard FTP port number are 
used. 


See Parameters Related to Multiple Instances for more details on parameters. 


Intruder Detection 


A user is considered an intruder when the number of unsuccessful log in 
attempts is more than those specified in the configuration file 
(INTRUDER_USER_ATTEMPTS). Similarly, a host/client machine is 
considered as intruder when the number of consecutive log in failures for any 
user, from that host, is higher than the configured limit 
(INTRUDER_HOST_ATTEMPTS). 


If a successful log in is encountered before the given limit, the count of log in 
failures is reset to zero. 


When a user becomes an intruder, his account is locked out for an interval of 
time specified in the configuration file (USER_RESET_TIME). 


When a host becomes an intruder, access to the FTP Server is denied for that 
host machine for an interval of time specified in the configuration file 
(HOST_RESET_TIME). 


See Parameters Related to Intruder Detection for more details on parameters. 


Access Restrictions 


The FTP service enables you to specify access restrictions for a user, a client 
host, and the IP address of a client host. The access restrictions can be 
specified in the restrictions file, which can be configured (RESTRICT_FILE). 
Access restrictions can be specified at various levels and multiple access 
rights are allowed. 
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The levels of supported access restrictions include the following: 


+ 


+ 


4 


Container level: Restriction can be specified for any NDS container. This 
will control all the users in that container and its sub-OUs. 


* container name 


The asterik (*) indicates the container level restriction. The container 
should be a fully distinguished name. 


User Level: The restriction can be specified for a particular user. 
.user name 


The period (.) indicates user level restriction. The user name should be a 
fully distinguished name. 


Domain Level: The restriction can be specified at the domain level. This 
will control all the hosts in that domain and its sub domains. The 
following is the RESTRICT file format: 


DOMAIN= domain name 

The DOMAIN= key word indicates the domain level restriction. 

Host Level: The restriction can be specified for a particular host machine. 
ADDRESS= host name/IP address 


The ADDRESS= key word indicates the host level restriction. The host 
name or IP address of the host can be specified. 


The DNS configuration should be proper for address and domain name 
restrictions. 


The access rights permitted include the following: 


+ 


+ 


+ 


DENY: Denies access to the FTP Server for that client. 
READONLY: Gives read-only access to the client. 
NOREMOTE: Restricts access to remote server navigation. 


GUEST: Gives only Guest access to the user. guest users are those users 
who cannot navigate to remote servers. A guest user has access only 
within the guest user’s home directory and subdirectories. 


ALLOW: Gives normal FTP access without restriction. 
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Key words 


The ADDRESS= key word should be used to restrict a particular node. The IP 
address or machine name can be used. 


The DOMAIN= key word should be used to restrict a particular Domain. 
The asterisk (*) should be used for container level restrictions. 


The ACCESS= key word is mandatory for each line. It should be followed by 
access rights. 


NOTE: The ACCESS= key word should precede the rights and is mandatory in every 
line. The access rights can be separated by a comma (,) and are taken according to the 
order in which they appear in the RESTRICT file. 


The format and organization of the restrict file is as follows: 
* Each line should have one entity name and corresponding access rights. 


+ The rights of the entities will be assigned according to the order of the 
RESTRICT file. If different rights apply to the same entity, the latest 
entities that appear in the RESTRICT file will be taken. 


¢ All rights specified in the same line will be applied to that entity. 


¢ Ifthe RESTRICT file does not exist or is empty, the access is given to all 
users without any restrictions. 


Example 1 

* novell ACCESS=ALLOW 
*.testou.novell ACCESS=DENY 
.userl.testou.novell ACCESS=READONLY 


Userl at testou will be allowed read-only rights. The other users at 
testou.novell will be denied the right. However, all other OUs at .novell will 


be allowed. 

Example 2 

*.testou.novell ACCESS=DENY 
* novell ACCESS=ALLOW 


All OUs at .novell will be allowed because both rights apply to testou and the 
later would be taken. 


Example 3 


ADDRESS=Clientmachinel.blr.novell.com ACCESS=NOREMOTE 
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.userl.novell ACCESS=READONLY 


The userl logging from clientmachinel will have read-only and no remote 
access. 


See Parameters Related to Access Restrictions for more details on parameters. 


Anonymous User Access 


FTP Log Files 


The FTP server supports an anonymous user account. This account provides 
people with access to public files. Access to the anonymous users account can 
be enabled or disabled by setting the ANONYMOUS_ACCESS parameter in 
the configuration file. By default, the parameter is set to No. The path of the 
anonymous user's home directory can be specified in the configuration file, in 
the ANONYMOUS_HOME directory parameter. 


An anonymous user account can be initialized by loading the FTP Server with 
the -a option. This creates the anonymous user, creates the home directory (if 
it is not available), and adds access rights to the anonymous user. The 
administrator name and password are then taken from the screen and the 
anonymous user is created in the NDS tree at the default context. Also, the 
configured anonymous home directory is displayed on the screen with an 
option to modify it. 


If the administrator does not specify a home directory then the default 
directory is taken. The anonymous user will have only read and file scan rights 
to the default directory. If the administrator specifies the anonymous home 
directory then the directory is created and the anonymous user will have read, 
file scan, create, delete, and modify rights to that directory. 


See Parameters Related to Anonymous User Access for details on parameters. 


The FTP log file records information about various activities of the FTP 
Server. 


The FTP Server has four log files for logging different informations. All the 
log files are created in the FTP_LOG_DIR directory specified in the 
configuration file. The amount and type of information is controlled by the 
LOG_LEVEL parameter defined in the configuration file. 


The log levels supported are: 
* L ERROR 1 
* L WARNING 2 
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Audit Log File 


Statistics Log File 


Intruder Log File 


* L INFO 4 


Tf the log level is 3, then error messages and warning messages will be logged. 
At default log level of 7, all messages will be logged. 


The Audit log has details about the log in and activities of the user. The default 
path for this file is SYS:/ETC/FTPAUDIT.LOG. The file has entry for login, 
logout and other file system related operations like mkdir, rmdir, put, set, 
delete, and so on. 


The general Audit log format is: 


Log level: Thread ID: Date Time: IPaddress: Username: 
servername optional: message. 


Details of all active sessions such as number of users logged in/out, number of 
failures during data transfer and so on are maintained in the status log file. The 
default path for this file is SYS:/ETC/FTPSTAT.LOG. 


The statistics log file maintains three record types, each of which is separated 
by a comma. The record types are: 


+ TRANSFER: Contains information related to the data transfer 
+ USER: Contains information related to users logged in/out 


+ FAILURE: Contains information about the number of failures during data 
transfer 


The Intruder log file provides information about unsuccessful login attempts. 
The default path of the intruder log file is SYS:/ETC/FTPINTR.LOG. The 
following information is recorded in the file: 


+ The address of the machine where the login originated 
+ The time of the attempted access 


+ The login name of the user 


Using this information, you can determine which machine the unauthorized 
user is using. You can also determine the number of times a specific 
unauthorized user has attempted to access the system. 
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The general Intruder log format is: 


ErrorLevel: Date Time: Client IPaddress: UserName: 
message 


If intruder host attempts = O then intruder detection is disabled. 


System Log File 


The System log file contains all the internal system related information 
encountered by the FTP Server. 


The general System log file format is: 
Error: Thread ID: Date Time: Message 


See Parameters Related to FTP Logs for details on parameters. 


Active Sessions Display 
To load the Active Sessions Display Utility, type 
ftpstat [-p port number] 


You can enter the port number to which the HTTP browser should connect to 
view the NetWare FTP Active Sessions. The default port is 2500. 


Use, 


http://servername: port/ 


from the browser to see the active session details. 
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